Bug 33218

Summary: Thunderbird 115.11
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, fri, joselp, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: thunderbird, thunderbird-l10n CVE: CVE-2024-4367, CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4770, CVE-2024-4777
Status comment:
Bug Depends on: 33211    
Bug Blocks:    

Description Nicolas Salguero 2024-05-16 14:36:31 CEST 
Mozilla has released Thunderbird 115.11 on May 14:
https://www.thunderbird.net/en-US/thunderbird/115.11.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/
Nicolas Salguero 2024-05-16 14:37:35 CEST

CVE: (none) => CVE-2024-4367, CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4770, CVE-2024-4777
Depends on: (none) => 33211
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => thunderbird, thunderbird-l10n

Comment 1 Lewis Smith 2024-05-16 20:39:59 CEST 
thunderbird is definitely your baby, Nicolas.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2024-05-17 14:29:16 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Arbitrary JavaScript execution in PDF.js. (CVE-2024-4367)

IndexedDB files retained in private browsing mode. (CVE-2024-4767)

Potential permissions request bypass via clickjacking. (CVE-2024-4768)

Cross-origin responses could be distinguished between script and non-script content-types. (CVE-2024-4769)

Use-after-free could occur when printing to PDF. (CVE-2024-4770)

Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. (CVE-2024-4777)

References:
https://www.thunderbird.net/en-US/thunderbird/115.11.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/
========================

Updated packages in core/updates_testing:
========================
thunderbird-115.11.0-1.mga9
thunderbird-af-115.11.0-1.mga9
thunderbird-ar-115.11.0-1.mga9
thunderbird-ast-115.11.0-1.mga9
thunderbird-be-115.11.0-1.mga9
thunderbird-bg-115.11.0-1.mga9
thunderbird-br-115.11.0-1.mga9
thunderbird-ca-115.11.0-1.mga9
thunderbird-cs-115.11.0-1.mga9
thunderbird-cy-115.11.0-1.mga9
thunderbird-da-115.11.0-1.mga9
thunderbird-de-115.11.0-1.mga9
thunderbird-dsb-115.11.0-1.mga9
thunderbird-el-115.11.0-1.mga9
thunderbird-en_CA-115.11.0-1.mga9
thunderbird-en_GB-115.11.0-1.mga9
thunderbird-en_US-115.11.0-1.mga9
thunderbird-es_AR-115.11.0-1.mga9
thunderbird-es_ES-115.11.0-1.mga9
thunderbird-es_MX-115.11.0-1.mga9
thunderbird-et-115.11.0-1.mga9
thunderbird-eu-115.11.0-1.mga9
thunderbird-fi-115.11.0-1.mga9
thunderbird-fr-115.11.0-1.mga9
thunderbird-fy_NL-115.11.0-1.mga9
thunderbird-ga_IE-115.11.0-1.mga9
thunderbird-gd-115.11.0-1.mga9
thunderbird-gl-115.11.0-1.mga9
thunderbird-he-115.11.0-1.mga9
thunderbird-hr-115.11.0-1.mga9
thunderbird-hsb-115.11.0-1.mga9
thunderbird-hu-115.11.0-1.mga9
thunderbird-hy_AM-115.11.0-1.mga9
thunderbird-id-115.11.0-1.mga9
thunderbird-is-115.11.0-1.mga9
thunderbird-it-115.11.0-1.mga9
thunderbird-ja-115.11.0-1.mga9
thunderbird-ka-115.11.0-1.mga9
thunderbird-kab-115.11.0-1.mga9
thunderbird-kk-115.11.0-1.mga9
thunderbird-ko-115.11.0-1.mga9
thunderbird-lt-115.11.0-1.mga9
thunderbird-lv-115.11.0-1.mga9
thunderbird-ms-115.11.0-1.mga9
thunderbird-nb_NO-115.11.0-1.mga9
thunderbird-nl-115.11.0-1.mga9
thunderbird-nn_NO-115.11.0-1.mga9
thunderbird-pa_IN-115.11.0-1.mga9
thunderbird-pl-115.11.0-1.mga9
thunderbird-pt_BR-115.11.0-1.mga9
thunderbird-pt_PT-115.11.0-1.mga9
thunderbird-ro-115.11.0-1.mga9
thunderbird-ru-115.11.0-1.mga9
thunderbird-sk-115.11.0-1.mga9
thunderbird-sl-115.11.0-1.mga9
thunderbird-sq-115.11.0-1.mga9
thunderbird-sr-115.11.0-1.mga9
thunderbird-sv_SE-115.11.0-1.mga9
thunderbird-th-115.11.0-1.mga9
thunderbird-tr-115.11.0-1.mga9
thunderbird-uk-115.11.0-1.mga9
thunderbird-uz-115.11.0-1.mga9
thunderbird-vi-115.11.0-1.mga9
thunderbird-zh_CN-115.11.0-1.mga9
thunderbird-zh_TW-115.11.0-1.mga9

from SRPMS:
thunderbird-115.11.0-1.mga9.src.rpm
thunderbird-l10n-115.11.0-1.mga9.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

katnatek 2024-05-17 18:13:58 CEST

Keywords: (none) => advisory

Comment 3 Morgan Leijström 2024-05-17 21:40:43 CEST 
mga9-64 OK for my use:

Tested under Plasma X11, Intel i7-870, nvidia470 on GTX750
closed TB, updated, started

OK:
Swedish locale
settings and local mail preserved
IMAP (offline, IMAP to synk to server)
SMTP

I do not use calendar nor tasks or filtering

CC: (none) => fri

Comment 4 Thomas Andrews 2024-05-18 02:38:08 CEST 
MGA9-64 Plasma Looks good here.

US English, POP mail, newsgroups all are fine. I don't use the calendar, either.

CC: (none) => andrewsfarm

Comment 5 Jose Manuel López 2024-05-20 06:36:20 CEST 
Install in Mga 9 Plasma, works fine for me.

Used yesterday all day.

Send and receive ok.
Addons ok.
Settings ok.
Spanish locale ok.
Accounts and signatures ok.
Calendar and task ok.

CC: (none) => joselp

Comment 6 Thomas Andrews 2024-05-20 13:58:39 CEST 
Several days without issues on two machines. Sending this on.

Validating.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2024-05-22 01:38:42 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0191.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED